Consumer Reports found that some Amazon’s Choice video bells have security so bad that a complete stranger can pair their phone to your doorbell simply by holding the exterior button for eight seconds.
Bad actors can even access still images from thousands of miles away, without needing any credentials for your account, creating a privacy nightmare …
The consumer protection organisation found that the same video doorbells were sold under a wide range of brand names.
They were sold under two brand names, Eken and Tuck […] Online searches quickly revealed at least 10 more seemingly identical video doorbells being sold under a range of brand names, all controlled through the same mobile app, called Aiwit, which is owned by Eken. We bought two of these products, sold under the Fishbot and Rakeblue brands, and found the same vulnerabilities.
The first egregious failure was a complete lack of security when it came to physical access.
The video doorbells pose a special threat to individuals who are in danger from people who know where they live.
Anyone who can physically access one of the doorbells can take over the device—no tools or fancy hacking skills needed. Let’s imagine that an abusive ex-boyfriend wants to watch the comings and goings of his former partner and her children. He’d simply need to create an account on the Aiwit smartphone app, then go to his target’s home and hold down the doorbell button to put it into pairing mode. He could then connect the doorbell to a WiFi hotspot and take control of the device.
As the new “owner” of the device, he could now watch who comes and goes, and when.
The second is the ability to access still images from a server, with absolutely no credentials required.
Once the stalker has the serial number, he can continue to remotely access still images from the video feed. (The CR journalist provided the serial number to Blair to allow him to remotely access her camera.) No password is needed, or even an account with the company, and no notification is sent to the doorbell’s owner.
In our scenario, the dangerous actor will continue to see time-stamped photos of everyone who comes and goes. And if he chooses to share that serial number with other individuals, or even post it online, all those people will be able to monitor the images, too.
If someone isn’t targeting a specific individual, and just wants to access random cameras, they can simply try serial numbers. While this doesn’t allow them to view video, it does allow access to still images.
Consumer Reports said that the at least two of the brands – Eken and Tuck – have been recommended as Amazon’s Choice, even after Amazon was alerted to the problem.
Multiple websites have noted in the past that Amazon’s Choice ratings are far from a reliable guide, with zero transparency as to how they are selected. The offending brands remain on sale at the time of writing.
Once again, we repeat our recommendation to stick to cameras which support Apple’s HomeKit Secure Video.
Photo: Eken/Amazon under Fair Use | Background by Siora Photography on Unsplash
FTC: We use income earning auto affiliate links. More.
Comments